Securing GWT Apps using Spring Oauth & Spring Social

General purpose :

Provides a spring security configuration for any Oauth2 providers in our projects. For that I found many good starting points on the web and I merged them into a simple GWTP project forked from an existing repository ( which helped me to achieve this goal with minor changes.

This a solution for GWT developers who want to provide a session management using usual (Google, Facebook, …) or custom Oauth2 provider in their applications.

Dependency management :


<!-- Spring Social -->

<!-- Persistance dependencies -->

2 – Custom provider definition :

I added some classes here as other embedded Social provider to define my own provider

– Provider definition

public interface Corporate {
    CorporatePofile getUserProfile();

    void updateStatus(String message);

– Oauth2 provider service

public class CorporateServiceProvider extends AbstractOAuth2ServiceProvider<Corporate> {
    public CorporateServiceProvider(OAuth2Operations oauth2Operations) {

    public Corporate getApi(String s) {
        return new CorporateServiceTemplate(s);

– Provider service template

public class CorporateServiceTemplate extends AbstractOAuth2ApiBinding implements Corporate {
    private final static String corporateProfileURL = "http://localhost:8080/oauthprotoserver/profile/";
    private String accessToken;

    CorporateServiceTemplate(String accessToken) {
        this.accessToken = accessToken;

    public CorporatePofile getUserProfile() {
        try {
            ResponseEntity<String> content = getRestTemplate().exchange(URI.create(corporateProfileURL + accessToken),
                    HttpMethod.GET, null, String.class);

            // TODO Retrieve a Corporate JSON user build a serialized object
            return new CorporatePofile(content.getBody(),"","client1","employee","foo","bar");

        }  catch (HttpClientErrorException e2) {
            throw new OAuth2Exception(e2.getMessage());

    public void updateStatus(String message) {

And to perform the implicit SignUp and build a valid session with SocialUserDetails

– A SimpleConnectionSignUp which requires a JDBC user connection repository

public final class SimpleConnectionSignUp implements ConnectionSignUp {
    private final AtomicLong userIdSequence = new AtomicLong();

    public String execute(Connection<?> connection) {
        return Long.toString(userIdSequence.incrementAndGet());

– A SimpleSignInAdapter which will help to store UserDetails into Security Context

public class SimpleSignInAdapter implements SignInAdapter {
    private static final Logger log = LoggerFactory.getLogger(SimpleSignInAdapter.class);
    private final RequestCache requestCache;
    private final NuvolaCasDetailsService userService;

    public SimpleSignInAdapter(RequestCache requestCache,
                               NuvolaCasDetailsService userService) {
        this.requestCache = requestCache;
        this.userService = userService;

    public String signIn(String localUserId, Connection<?> connection, NativeWebRequest request) {
        SocialUserDetails user = userService.loadUserByUserId(connection.getDisplayName());
        // Return Application home page
        return "/";

This will help us into the final step add a simple login page to post a SignIn request catched by the ProviderSignInController (Framework controller)

<div align="center">
    <form id="casForm" name="casForm" action="/api/signin/corporate" method="POST" >
        <p><input name="login" value="Connexion via Portail" type="submit"></p>

The “corporate” at the end of the uri (/api/signin/corporate) is our providerId which is a Path parameter helping the controller to build a valid OAuth2ConnectionFactory.

3 – Spring security configuration :

public UserDetailsService userDetailsServiceBean() throws Exception {
    return super.userDetailsServiceBean();

OAuth2Template restTemplate() {
    return new OAuth2Template(corporateProvider().getClientId(),

@Scope(value="singleton", proxyMode= ScopedProxyMode.INTERFACES)
public SocialAuthenticationServiceLocator socialAuthenticationServiceLocator() {
    SocialAuthenticationServiceRegistry registry = new SocialAuthenticationServiceRegistry();
    registry.addConnectionFactory(new CorporateConnectionFactory(restTemplate()));

    return registry;

@Scope(value="singleton", proxyMode=ScopedProxyMode.INTERFACES)
public UsersConnectionRepository usersConnectionRepository() {
    JdbcUsersConnectionRepository connectionRepository =
            new JdbcUsersConnectionRepository(dataSource, socialAuthenticationServiceLocator(), Encryptors.noOpText());
    connectionRepository.setConnectionSignUp(new SimpleConnectionSignUp());
    return connectionRepository;

public ProviderSignInController providerSignInController() {
    ProviderSignInController controller = new ProviderSignInController(socialAuthenticationServiceLocator(),
            usersConnectionRepository(), new SimpleSignInAdapter(new HttpSessionRequestCache(),
    return controller;

AuthorizationCodeResourceDetails corporateProvider() {
    AuthorizationCodeResourceDetails codeResourceDetails = new AuthorizationCodeResourceDetails();
    return codeResourceDetails;

AuthorizationCodeResourceDetails googleProvider() {
    return null;

AuthorizationCodeResourceDetails facebookProvider() {
    return null;

protected AuthenticationManager authenticationManager() throws Exception {
    return super.authenticationManager();

protected void configure(HttpSecurity http) throws Exception {
            .apply(new SpringSocialConfigurer()


The complete source code is available here : I hope this will help many developers to customize Oauth2 authorization and authentication process via providers. This implementation supports the Oauth2 authorization code flow. Thanks to Spring community for this huge work

GWT 2.5 easy Bean validation

The goal of this paper is to setup quickly and smoothly a clean validation process on your DTO. It shows an easy setup using GIN and GWT-Dispatch. An Intro is also available here Gwt 2.5 Validation Intro

The needed libraires to start are: Javax validation (Api), Hibernate validators (Sources and Implementation) and Slf4j (logger).
For the next step we are going to build a custom annotation which will be use into our gwt-dispatch actions:
Here the code for custom validator and his annotation:

@Target({ ElementType.FIELD, ElementType.ANNOTATION_TYPE })
@Constraint(validatedBy = RequiredValidator.class)
public @interface Required {
    String message() default "Value is required";
    Class[] groups() default {};
    Class[] payload() default {};


public class RequiredValidator implements ConstraintValidator {
    public void initialize(Required constraintAnnotation) { }

    public boolean isValid(String value, ConstraintValidatorContext context) {
        return (!Strings.isNullOrEmpty(value));
        // use Guava strings to check null or empty value

Now we can use our required annotation into our action (There is also a possibility to use more than one annotation on our field):

public class SendMailAction extends ActionImpl {
    private String email;
    private SendMailAction(String email) { = email;
  // add accessors

To complete module settings we need a validator factory for the module like it is shown into the Gwt Devguide:

public final class ClientValidatorFactory extends AbstractGwtValidatorFactory {

    // Syntax for multiple class:  @GwtValidation({action1.class, action2.class})
    public interface GwtValidator extends Validator {
    public AbstractGwtValidator createValidator() {
        return GWT.create(GwtValidator.class);

Now we are going to write a generic constraint validation manager which will be provided using Gin Injector. Here it is :

public class ClientValidation extends Validation {
    private Validator validator;
    private Set<ConstraintViolation> constraintViolations;

    public ClientValidation() {
        this.validator = buildDefaultValidatorFactory().getValidator();
    public Set<ConstraintViolation> getConstraintViolations(Object object) {
        this.constraintViolations = validator.validate(object);
        return constraintViolations;
    public String getPrimaryMessage() {
        return constraintViolations.iterator().next().getMessage();

Finally we can configure one single instance into our module:


and use it everywhere on client side with @Inject:

if (!clientValidation.getConstraintViolations(new sendMailAction(email)).isEmpty()) {
} else {
    // do something

Thanks to the GWT team for those enhancements for client side validation.

Securing Spring Faces (Webflow 2 + Spring Security 3) application.

The post is for people who are using Spring Faces and need basic security aspects.

Update your spring faces dependency in the pom.xml if your project is a maven one :
There is a bug in the 2.3.0 Release between the flow executor and phase listener. This is important because our login page is a facelet which is not in a flow.


Add context security file to the configuration with this content :

<security:http auto-config="true">
		<security:intercept-url pattern="/views/**" access="ROLE_USER"/>
			login-page="/" authentication-failure-url="/"
			default-target-url="/flowprocess/shopping" />
	<security:user-service id="userService">
    		<security:user name="guest" password="guest" authorities="ROLE_USER"/>
		<security:authentication-provider user-service-ref="userService"/>

Configuring security into webflow in 2 steps:

1 – Adding secure flow context listener into the configuration file as shown below :

<beans:bean id="securityFlowExecutionListener" class="" />

<beans:bean id="facesContextListener" class="org.springframework.faces.webflow.FlowFacesContextLifecycleListener"/>

<flow-executor id="flowExecutor">
		<listener ref="facesContextListener"/>
		<listener ref="securityFlowExecutionListener"/>

2 – Configure the flow to check access and authorizations before runing by adding the secure tag into the flow.xml file:

<flow start-state="identifyCustomer" xmlns=""

<secured attributes="ROLE_USER"/>


Very Important Notice : If we’re using subflows in our architecture, Spring does not propagate the secured configuration to child. Secure tag must be explicitely mentionned in all our subflows. I hope this will be a fix in further releases.

Create a Spring security form-login as index page into the project.

<h:form prependId="false" >
	<table class="form">
		<td><h:outputLabel value="Identifiant: " for="j_username" /></td>
		<td><h:inputText id="j_username" required="true" value="#{authenticationBean.username}" styleClass="textInput" /></td>
		<td><h:outputLabel value="Mot de passe " for="j_password" /></td>
		<td><h:inputSecret id="j_password" required="true" value="#{authenticationBean.password}" styleClass="textInput" /></td>
	<div class="buttonContainer">
		<h:commandLink styleClass="styledButton" action="#{authenticationBean.onLogin}" value="Connect"  />

Now the flow is secure and to execute it, user should give corrects credentials. In the next article i’ll integrate OpenID authentication.

In my project i have shopping-flow wich use customer-flow as subflow. To check the point in notice above, try to call directly the shopping/customer here unsecured access to the subflow and secured access, redirection to the login

The complete project source code is available here github

Build a jasper report merging pages with different format

– How to build a report with A4_portrait and Landscape pages ?

Due to the limitation of jasperReport to combine different oriented pages in one report, we are going to use Itext to create this kind of reports.

1 – In Ireport build individual templates with Portrait/Landscape orientation instead of report/sub-reports templates.

2 – Build a collection of Byte[] to save all the generated reports as shown in the code below

private List<byte[]> generateReports(Map parameters, Object objet){
    	List<byte[]> reports = new ArrayList<byte[]>();
    	JasperReport jasperReport = null;
    	JasperPrint jasperPrint = null;
    	HashMap labels = new HashMap();
    	try {
    	JRBeanCollectionDataSource jdc = jdsfactory.createBeanCollectionDatasource(object);
    	jasperReport = (JasperReport) JRLoader.loadObject("templateFile.jasper");
    	jasperPrint = JasperFillManager.fillReport(jasperReport, parameters, jdc);
	// Repeat the previous operations for all individual reports	
    	} catch (Exception e) {

	return reports;

3 – Call the PDF printer method to concatenate incoming files given as a collection of byte[] and build an output stream.

public static void sendConcatenatedPDFStream(List pdffiles, String fileName , HttpServletResponse response) throws Exception { 
		response.setHeader("Pragma", "public");
		response.setHeader("Cache-Control", "max-age=0");
		response.setHeader("Content-disposition", "attachment;filename=" + fileName + ".pdf");
		int totallength = 0;
		List pdfs = new ArrayList();
		for (int i=0;i&lt;pdffiles.size();i++){
			pdfs.add(new ByteArrayInputStream(pdffiles.get(i)));
		BufferedOutputStream out = new BufferedOutputStream( response.getOutputStream());
		Document document = new Document();
		try {
			List readers = new ArrayList();
			int totalPages = 0;
			Iterator iteratorPDFs = pdfs.iterator();
			while (iteratorPDFs.hasNext()) {
				InputStream pdf =;
				PdfReader pdfReader = new PdfReader(pdf); readers.add(pdfReader); totalPages += pdfReader.getNumberOfPages();
			// Create a writer for the outputstream
			PdfWriter writer = PdfWriter.getInstance(document, out);;
			PdfContentByte cb = writer.getDirectContent(); // Holds the PDF data PdfImportedPage page;
			int currentPageNumber = 0;
			int pageOfCurrentReaderPDF = 0;
			Iterator iteratorPDFReader = readers.iterator(); // Loop through the PDF files and add to the output.
			while (iteratorPDFReader.hasNext()) { 
				PdfReader pdfReader =; // Create a new page in the target for each source page.
				while (pageOfCurrentReaderPDF < pdfReader.getNumberOfPages()) {
					document.newPage(); pageOfCurrentReaderPDF++;
					page = writer.getImportedPage(pdfReader, pageOfCurrentReaderPDF);
					cb.addTemplate(page, 0, 0); totallength += pdfReader.getFileLength(); 
				pageOfCurrentReaderPDF = 0; 
		} catch (Exception e) { 

Drools-guvnor manage access part-2

Using lightweight container Tomcat and Mysql server – Configuring drools-guvnor JAAS authentication module

Prequisites: Working with Drools Guvnor 5.3 deployed in Apache tomcat 6 running with Mysql 5.JDK version 1.6

0 – Deploy guvnor application with context name drools-guvnor. All users are guests then go the administration panel and set authorization for user admin or create another user with authorizations. Stop the server and we are going to enable Jaas database authentication

1 – Create authdb schema with guvnorusers table in mysql database.

CREATE TABLE guvnorusers (
  `id` bigint(20) NOT NULL AUTO_INCREMENT,
  `username` varchar(255) DEFAULT NULL,
  `password` varchar(255) DEFAULT NULL,
  PRIMARY KEY (`id`)
INSERT INTO guvnorusers values (1,"admin","admin");

2 – Build a custom loginModule
Here you can find the maven source project for the custom login module drools login project sources
Just compile it and build a maven jar artifact.

3 – In %TOMCAT_HOME%/lib
Copy the loginModule exported jar file and the mysql connector jar.

4 – In %TOMCAT_HOME%/conf/context.xml, we add a resource declaration

<Resource name="jdbc/URDroolsDS" auth="Container"
	type="javax.sql.DataSource" driverClassName="com.mysql.jdbc.Driver"
	url="jdbc:mysql://yourserveradress:3306/authdb" username="dbuser"
	password="dbuserpassword" maxActive="20" maxIdle="10" maxWait="-1" />

5 – Update %TOMCAT_HOME%/webapps/drools-guvnor/WEB-INF/components.xml
to configure our repository to use external database and security settings

<security:identity authenticate-method="#{authenticator.authenticate}"


6 – Update %TOMCAT_HOME%/conf/server.xml to add a Realm declaration

<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm appName="drools-guvnor"
  dataSourceName="jdbc/URDroolsDS" localDataSource="true"/>

7 – Create a file jaasConfig on %TOMCAT_HOME%/conf with this content:
required debug=true;

8 – Before runing Tomcat create in %TOMCAT_HOME%/bin a file if you running on linux or setenv.bat on windows with this content (Working on linux)

JAVA_OPTS=”-Xms128m -Xmx256m$CATALINA_HOME/conf/jaasConfig”
export JAVA_OPTS

Now it’s time to restart your guvnor server and check authentication!

Drools-guvnor manage access – part 1

Externalize business or technical rules is very important for scalable applications but the BRMS service access should be managed. guvnor provides control UI access and operations using role based authorizations.

There are several permissions types as listed in drools-guvnor reference manual.
Admin with all permissions.
Analyst or Analyst read-only: analyst permissions for a specific category.
Package admin, Package developer or Package read-only: package permissions for a specific package.

– Allow user authentication control by updating the file compenent.xml located into the server deployed folder

<component name=">
      <property name="enableRoleBasedAuthorization">false</property>
// change false to true

Embedded Guvnor in Jboss server control access configuration:

Stop guvnor server if started in user guest mode and enable role based authorization.

Add drools-guvnor access policy in the file login-config.xml located in server/default/conf

<application-policy name="drools-guvnor">
<login-module code="" 
<module-option name="usersProperties">
<module-option name="rolesProperties">

Create properties files for users and roles with respective contents:

# A file for UsersRolesLoginModule (

# A file for UsersRolesLoginModule (

Restart the Jboss guvnor server and log into web interface using created accounts.

Drools – Guvnor: Spring integration

Using Spring 2.5, Drools-guvnor 5.0

Download Drools guvnor standalone version here jboss-drools-guvnor

Spring configuration:
– bean rulesAgent is for communication between our application and guvnor,
the Drools platform BRMS.
– bean droolsService uses rulesAgent to provide the needed service.

<bean id="rulesAgent" class="com.test.droolsproto.utils.DroolsProtoAgent"></bean>
<bean id="droolsService" class="com.test.droolsproto.serviceImpl.RuleDroolServiceImpl">
<property name="ruleAgent" ref="rulesAgent"></property>

Create file “” for the ruleAgent:
In this file the link to use a running instance of guvnor. The package “com.test.droolsproto.rules” is an existing rules package in guvnor. DroolsDemo at the end of package value is the name of the snapshot. A snapshot in guvnor represents an image of rule’s package at specific time.

package= com.test.droolsproto.rules/DroolsDemo

In the web project add drools librairies (drools-api-5.0.1, drools-core-5.0.1) and create DroolsProtoAgent class:

public class DroolsProtoAgent {
   private RuleBase rulebase;
   private StatefulSession session;
   private DroolsProtoAgent(){
   public RuleBase getRulebase() {
    if (rulebase != null) return rulebase;
    else {
       RuleAgent agent = RuleAgent.newRuleAgent( "/" );
       RuleBase rulebase = agent.getRuleBase();
       return rulebase;
  public void setRulebase(RuleBase rulebase) {
    this.rulebase = rulebase;
  public void setSession(StatefulSession session) {
    this.session = session;
  public StatefulSession getSession() {
    if ( rulebase == null ) {
      rulebase = getRulebase();
    session = rulebase.newStatefulSession();
    return session;

Create a drools service:

public class RuleDroolServiceImpl implements RuleDroolsService {

   private DroolsProtoAgent ruleAgent;

   public String applyRule(ValueObject a, ValueObject b){

   try {
     // Load knowledge base session
     StatefulSession ksession = ruleAgent.getSession();
     ksession.startProcess("droolsProcess"); //Start a predefined process in guvnor
     // Insert VO as Fact

     ksession.fireAllRules(); //Apply rules
     return "success or specific guvnor response";
   } catch (Throwable t) {
     return "failure";

  public DroolsProtoAgent getRuleAgent() {
   return ruleAgent;

  public void setRuleAgent(DroolsProtoAgent ruleAgent) {
   this.ruleAgent = ruleAgent;

Drools integration is complete.